A
Andrew Robinson
I have a public web server that runs behind a firewall at a hosting
facility. We own and control the server. I need to make occasional updates
and changes to data stored in SQL and am unable to establish any type of VNP
or SSL connection to the server due to hardware restrictions at this time.
I would like to make these updates using Web Services. I understand how to
embed a username / password in a SOAP header, but it would seem to me that
an attacker could simply replicate the username / password since I am unable
to use SSL at this time. Or is there another approach to encrypting these?
(Read on.)
If I encrypt the username password using a .NET cryptographic provider,
couldn't an attacker simply use the encrypted username / password?
How about adding a time component to the encoded username / password data
structure such as DateTime.Now.Ticks? This would make every username /
password unique. In addition, I could test the uuencoded time factor to get
an age on the username / password. If the absolute age of the time factor is
older than about 500 (1000?) milliseconds, I would assume it is invalid.
I have tight control over both the web server and my client updating
machine. I would use the same symmetric encryption key on both machines and
would have to insure that the clocks on both machines are synchronized to
one another within a small error factor.
The actual data that I am transferring is really not sensitive and it does
not need to be encrypted; I just need to insure that only I am able to make
updates to via the web services.
Seem like a reasonable approach?
facility. We own and control the server. I need to make occasional updates
and changes to data stored in SQL and am unable to establish any type of VNP
or SSL connection to the server due to hardware restrictions at this time.
I would like to make these updates using Web Services. I understand how to
embed a username / password in a SOAP header, but it would seem to me that
an attacker could simply replicate the username / password since I am unable
to use SSL at this time. Or is there another approach to encrypting these?
(Read on.)
If I encrypt the username password using a .NET cryptographic provider,
couldn't an attacker simply use the encrypted username / password?
How about adding a time component to the encoded username / password data
structure such as DateTime.Now.Ticks? This would make every username /
password unique. In addition, I could test the uuencoded time factor to get
an age on the username / password. If the absolute age of the time factor is
older than about 500 (1000?) milliseconds, I would assume it is invalid.
I have tight control over both the web server and my client updating
machine. I would use the same symmetric encryption key on both machines and
would have to insure that the clocks on both machines are synchronized to
one another within a small error factor.
The actual data that I am transferring is really not sensitive and it does
not need to be encrypted; I just need to insure that only I am able to make
updates to via the web services.
Seem like a reasonable approach?